L2TP IPSec VPN must reboot to reconnect

Max416 · December 6, 2015, 4:59pm

Hi all,
i’m experiencing a strange problem with a CCR1036 acting as L2TP / IPSec concentrator for about 10 RB750GL connecting in VPN.

The CCR is behind an ADSL modem router just like the 750s.
When configuring or installing for the first time the RBs there are no problems at all: everything works at the first attempt (all the RB750 are configured from the same “template” RB).

Here is the real problem: when there are internet connection issues, the CCR goes offline and, of course, all VPNs drop down…but if the CCR goes back online, VPNs don’t reconnect. Well, some of them reconnect (“R” on L2TP server binding interface) but the VPN is not properly working (no traffic). In all the cases i am forced to reboot all the 750s…sometimes also their ADSL router must be rebooted!

This is a problem since client RBs are in most cases far from the server, so we have to call customers to manually reboot them.

Why is this happening?
It seems like the VPN connection remains pending after the CCR suddenly goes offline, and we are forced to reboot the RB to let it restart the L2TP/IPSec negotiation.

Any solution to prevent this kind of event? I’m thinking about a work-around such as a watchdog that forces the RB to reboot when the server IP is not reachable but i would like to have a better solution.

Any idea?

Thanks guys…

jarda · December 7, 2015, 3:30pm

You should mention the ros version. I had such problems in past with sstp but in more recent versions I have not realised that. Using l2tp without ipsec now and having no problems.

Max416 · December 10, 2015, 7:58am

Hi,
thank you for your reply.

Since CCR is in production i can’t reboot it to upgrade so it is still running v6.29.1.

RB750 clients use RoS from 6.29.1 to 6.33.2 (and they all have the same behaviour).

jarda · December 10, 2015, 4:11pm

Try 6.32.3 when you can.

joemarriott · December 12, 2015, 1:48am

I’m seeing this issue too. when upstream router or modem gets disconnected from the internet and then reconnects, the mikrotik doesn’t reestablish the L2TP tunnel. using v6.34rc19

Max416 · December 18, 2015, 11:27am

At the moment i’ve programmed a “workaround” on each client.

I configured a Netwatch pinging the IP address of the L2TP server: when it goes down the netwatch disables the L2TP-Client interface, waits 10 seconds and then re-enables it. It does the same when the server goes back online.

It works but i don’t think it’s a “real” solution to the problem…

whitbread · December 18, 2015, 3:10pm

I had same issues with L2TP / IPSec; using EOIP / IPSec now and doing a reboot every 4 hrs…

Tested ROS 6.33.3 and 6.34rc19